CVE-2025-47906

MEDIUMNVD 6.56.5—Trending — 4 sources updated this week

6.5

If the PATH environment variable contains paths which are executables (rather than just directories), passing certain strings to LookPath ("", ".", and ".."), can result in the binaries listed in the PATH being unexpectedly returned.

CVSS v3: 6.5
EG Score: 6.5(medium)
EPSS: 10.0%
KEV: Not listed

Published

September 18, 2025

Last Modified

January 27, 2026

References (5)

security@golanghttps://go.dev/cl/691775
security@golanghttps://go.dev/issue/74466
security@golanghttps://groups.google.com/g/golang-announce/c/x5MKroML2yM
security@golanghttps://pkg.go.dev/vuln/GO-2025-3956
af854a3a-2127-422b-91ae-364da2661108http://www.openwall.com/lists/oss-security/2025/08/06/1

Vendor Advisories for CVE-2025-47906(15)

These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.

Patch Availability(20)

Vendor / Ecosystem	Fixed in / Patch	Released	Source
redhat	rhaiis/vllm-rocm-rhel9:1772160625	2026-02-27	redhat
redhat	rhaiis/vllm-cuda-rhel9:1772160593	2026-02-27	redhat
redhat	go-rpm-macros-0:3.0.9-12.el9_0	2025-12-22	redhat
redhat	go-rpm-macros-0:3.2.0-4.el9_4	2025-12-22	redhat
redhat	go-toolset:rhel8-8040020251212161217.5081a262	2025-12-22	redhat
redhat	go-toolset:rhel8-8060020251219132124.97d7f71f	2025-12-22	redhat
redhat	go-toolset:rhel8-8080020251215161342.17f3f959	2025-12-22	redhat
redhat	go-toolset:rhel8-8020020251212160632.02f7cb7a	2025-12-22	redhat
redhat	go-rpm-macros-0:3.2.0-2.el9_2	2025-12-22	redhat
redhat	rhaiis/vllm-rocm-rhel9:3.2.5-1765552603	2025-12-17	redhat
redhat	rhaiis/vllm-rocm-rhel9:3.2.5-1765361180	2025-12-15	redhat
redhat	rhui5/rhua-rhel9:5	2025-12-09	redhat
redhat	golang-0:1.17.13-8.el9_0	2025-12-09	redhat
redhat	go-toolset:rhel8-8100020251201162956.a3795dee	2025-12-03	redhat
redhat	golang-0:1.19.13-20.el9_2	2025-11-26	redhat
redhat	go-rpm-macros-0:3.6.0-11.el9_6	2025-11-25	redhat
redhat	go-rpm-macros-0:3.6.0-12.el9_7	2025-11-25	redhat
redhat	golang-0:1.21.13-12.el9_4	2025-11-20	redhat
redhat	golang-0:1.24.6-1.el10_0	2025-08-18	redhat
redhat	golang-0:1.24.6-1.el9_6	2025-08-18	redhat

Patches are aggregated from vendor advisories (Red Hat, Microsoft, Cisco, GitHub) and package ecosystems (OSV, GHSA). Multiple rows for the same upstream release have been deduplicated.

Affected Packages

(1 across 1 ecosystem)

Go(1)

Package	Vulnerable range	Fixed in	Dependents
stdlib	—	1.24.6	—

Additional Vendor Advisories

(6)

Vendors that published advisories for this CVE beyond the curated set above. Broader coverage but minimal per-row detail — click through for the original advisory.

Data Freshness Timeline

(refreshed 12× in last 7d / 12× in last 30d)

Every time one of our enrichment pipelines (NVD, MITRE cvelistV5, EPSS, CISA KEV, GHSA, OSV, vendor advisories) ran against this CVE. Most recent first.

2026-06-02 20:12 UTCepss_batch
2026-06-02 20:12 UTCepss_batch
2026-06-01 13:51 UTCepss_batch
2026-06-01 13:51 UTCepss_batch
2026-05-31 22:30 UTCepss_batch
2026-05-31 22:30 UTCepss_batch
2026-05-31 00:16 UTCepss_batch
2026-05-31 00:16 UTCepss_batch
2026-05-29 22:16 UTCEG score recompute
2026-05-29 22:16 UTCVendor advisory
2026-05-29 22:16 UTCGHSA enrichment
2026-05-29 13:44 UTCepss_batch

Frequently asked(5)

What is CVE-2025-47906?

CVE-2025-47906 is a medium vulnerability published on September 18, 2025. If the PATH environment variable contains paths which are executables (rather than just directories), passing certain strings to LookPath ("", ".", and ".."), can result in the binaries listed in the PATH being unexpectedly returned.

When was CVE-2025-47906 disclosed?

CVE-2025-47906 was first published in the National Vulnerability Database on September 18, 2025, with the most recent update on January 27, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.

Is CVE-2025-47906 actively exploited?

CVE-2025-47906 is not currently on CISA's Known Exploited Vulnerabilities catalog. FIRST EPSS estimates a 10.0% percentile likelihood of exploitation in the next 30 days — higher percentiles indicate greater predicted risk.

What is the CVSS score of CVE-2025-47906?

CVE-2025-47906 has a CVSS v3 base score of 6.5 (NVD).

How do I remediate CVE-2025-47906?

Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2025-47906, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

See which npm, PyPI, Go, and Maven packages are affected by CVE-2025-47906

Explore →

Is Your Infrastructure Affected by CVE-2025-47906?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.

Start Free Scan →Browse All CVEs

CVE-2025-47906

📅 Published

🔄 Last Modified

🔗 References (5)

📣 Vendor Advisories for CVE-2025-47906(15)